The EventType is a complex type representing a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).
| Field Name | Type | Description |
|---|---|---|
| @idoptional | QName |
The id field specifies a unique id for this Event. |
| @idrefoptional | QName |
The idref field specifies a unique id reference to an Event defined elsewhere. When idref is specified, the id attribute must not be specified, and any instance of this Event should not hold content unless an extension of the Event allows it. |
| Type0..1 | ControlledVocabularyStringType |
The Type field uses a standardized controlled vocabulary to capture what type of Event this is. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is EventTypeVocab-1.0.1 in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field. |
| Description0..1 | StructuredTextType |
The Description field provides a mechanism to specify a structured text description of this Event. |
| Observation_Method0..1 | MeasureSourceType |
The Observation_Method field is optional and enables descriptive specification of how this Event was observed (in the case of a Cyber Observable Event instance) or could potentially be observed (in the case of a Cyber Observable Event pattern). |
| Actions0..1 | ActionsType |
The Actions construct enables description/specification of one or more cyber observable actions. |
| Location0..1 | LocationType |
The Location field specifies a relevant physical location. This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd. Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field. |
| Frequency0..1 | FrequencyType |
The Frequency field conveys a targeted observation pattern of the frequency of the associated event or action. |
| Event1..1 | EventType |
This Event construct is included recursively to enable description/specification of composite Events. |